← Back to home

Real-World Workflows

How developers actually use MeowPass. From solo projects to team deployments to AI agents.

Solo

Solo Dev: New Project Setup

You just created a new project. You have API keys from Stripe, a database URL, and an OpenAI key. You want them encrypted and synced.

Day 1: Setup

First time ever
# Install (one time) brew install meowrithm/tap/meowpass mp login # In your project directory cd ~/projects/my-saas mp init # → scans .env, creates vault, encrypts 8 secrets, sets default # → updates .gitignore

Daily workflow

Every day
# Start your dev server with secrets injected (never on disk) mp run -- npm run dev # Or if your tooling needs a .env file mp pull npm run dev

Adding a new service

Add Sentry
# Got a new API key? Store it mp set SENTRY_DSN https://abc@sentry.io/123 # Update your .env mp pull # Or just use run — it picks up new secrets automatically mp run -- npm run dev

New machine / fresh clone

On your laptop, second machine, or after a reformat
git clone git@github.com:you/my-saas.git cd my-saas mp login # one-time auth mp pull # instant .env restoration npm run dev # running in seconds

Key insight

Your .env never goes in git. When you clone on a new machine, mp pull restores it instantly. No Slack messages, no 1Password lookups, no "hey can you send me the .env?"

Team

Team: Onboarding a New Developer

Sarah joins your team on Monday. She needs access to the project's secrets by her first standup.

Team lead (you)

Share vault with team
# Create a team (one-time) mp team create backend # Invite Sarah mp team invite sarah@acme.dev --team <team-id> --role member # Share the vault mp share <vault-id> --team <team-id> # → vault key re-encrypted for Sarah via X25519 key exchange # → Sarah never sees your master password or raw keys

Sarah (new developer)

Sarah's first day
# Install and login brew install meowrithm/tap/meowpass mp login # See what vaults she has access to mp vault list # Pull the project secrets mp pull --vault <shared-vault-id> # → .env file created with all team secrets # → she's coding within minutes

vs. the old way

Without MeowPass: "Hey can someone DM me the .env?" → 3 hours later, half the keys are wrong, and the DATABASE_URL is for staging. With MeowPass: mp pull → correct secrets, encrypted, audited.

DevOps

Multi-Environment: Dev → Staging → Production

You have 3 environments with different secrets. You need to switch between them and deploy to each.

Setup: one vault, multiple environments

Push each environment
# Push your dev secrets (default .env) mp push # Push staging secrets mp push --env staging # Push production secrets mp push --env production

Switching environments locally

Local development
# Run with dev secrets (default) mp run -- npm run dev # Run with staging secrets mp pull --env staging npm run dev # Quick check: what's different between local and vault? mp diff mp diff --env production

Deploy to production

CI/CD pipeline
# In GitHub Actions: - uses: meowrithm/meowpass-action@v1 with: vault_id: ${{ secrets.MEOWPASS_VAULT_ID }} token: ${{ secrets.MEOWPASS_TOKEN }} master_key: ${{ secrets.MEOWPASS_MASTER_KEY }} salt: ${{ secrets.MEOWPASS_SALT }} # Or manually: mp pull --env production docker build --secret id=env,src=.env.production .
Security

Incident Response: Rotating Compromised Keys

Your Stripe key leaked in a log. You need to rotate it and re-encrypt the entire vault.

Incident response
# 1. Rotate the compromised key on Stripe's dashboard # Get the new key: sk_live_NEW_KEY_HERE # 2. Update in MeowPass mp set STRIPE_KEY sk_live_NEW_KEY_HERE # → automatically creates version 2 # 3. Verify the old value is in history mp history STRIPE_KEY # v2 2026-05-06 09:15 (current) # v1 2026-05-01 14:30 # 4. Rotate the entire vault key for extra safety mp rotate # → new encryption key, all 12 secrets re-encrypted # 5. Team members pull the updated secrets # (they just run their normal workflow) mp pull # 6. Redeploy with new secrets mp run -- npm run deploy

Recovery time

Total time: ~2 minutes. Compare with: update key in 1Password, DM the team on Slack, update 3 CI configs, pray nobody has the old .env cached somewhere.

CI/CD

CI/CD: GitHub Actions Deploy

Your deploy pipeline needs production secrets. You don't want .env files in your repo.

One-time setup

Local terminal
# Create a CI-specific API key mp apikey create github-ci # Export your key material for GitHub secrets mp export-key --format env # MEOWPASS_MASTER_KEY=b6b1ab19... # MEOWPASS_SALT=eNiyZD1y... # MEOWPASS_VAULT_ID=a1b2c3d4... # Add all 4 values as GitHub repository secrets: # MEOWPASS_TOKEN, MEOWPASS_MASTER_KEY, MEOWPASS_SALT, MEOWPASS_VAULT_ID

Workflow file

.github/workflows/deploy.yml
name: Deploy on: push: branches: [main] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: meowrithm/meowpass-action@v1 with: vault_id: ${{ secrets.MEOWPASS_VAULT_ID }} token: ${{ secrets.MEOWPASS_TOKEN }} master_key: ${{ secrets.MEOWPASS_MASTER_KEY }} salt: ${{ secrets.MEOWPASS_SALT }} - run: npm ci && npm run build && npm run deploy # All secrets available as env vars

Pre-deploy drift check

Add to your CI pipeline
# Fail the build if .env.example is out of sync with vault mp diff --exit-on-drift
AI-Native

AI Agent: Claude Code Managing Secrets

You're coding with Claude Code. You need it to manage secrets without exposing values in the conversation.

Setup (one-time)

Terminal
# Create an API key for the MCP server mp apikey create claude-mcp # Add to Claude Code claude mcp add meowpass \ -e MEOWPASS_API_KEY=mp_your_key \ -- npx -y @meowlabs/meowpass-mcp

Example conversations

"Is my .env up to date?"

→ Claude calls meowpass_diff

→ "Your local .env is missing 2 secrets: REDIS_URL (added 3 days ago) and NEW_FEATURE_FLAG (added yesterday). Run mp pull to sync."

"I just added Stripe to this project. Set up the secrets."

→ Claude detects stripe in package.json

→ Creates placeholders: STRIPE_SECRET_KEY, STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET

→ "I've created 3 secret placeholders. Fill them in with your actual Stripe keys."

"Deploy this with production secrets."

→ Claude calls meowpass_run_redacted

→ Secrets injected into deploy command. Output scrubbed — Claude never sees the actual values.

→ "Deployed successfully. 12 secrets injected. Exit code 0."

"What secrets do we have in the production vault?"

→ Claude calls meowpass_list_secrets

→ Returns key names and versions only — no values exposed to the LLM context.

Security model for AI

  • • API keys have scopes — create read-only keys for agents
  • meowpass_run_redacted scrubs all secret values from output
  • meowpass_list_secrets returns names only, never values
  • • Every MCP access is logged in the audit trail
  • • Revoke a compromised key instantly: mp apikey revoke <id>
Lifecycle

Full Lifecycle: Project Start to Sunset

The complete MeowPass lifecycle for a project from creation to archival.

Day 1
Project kickoff
mp init → vault created, .env encrypted, default set
Week 1
Daily development
mp run -- npm run dev every morning. Add keys with mp set
Week 2
Team grows
mp team invite + mp share. New dev runs mp pull → coding in minutes
Month 1
CI/CD setup
mp export-key → GitHub secrets. meowrithm/meowpass-action@v1 in workflow
Month 3
Security audit
mp rotate to refresh vault key. mp history to review changes. Check audit logs via API
Month 6
Key rotation after employee departure
Rotate all affected keys. mp rotate. Team runs mp pull. Done in minutes, not hours.
Year 1
Project sunset
mp pull → archive .env. mp vault delete → clean. No orphaned secrets.
Agent

Agent-Friendly: Building an AI-Powered Dev Workflow

How to set up MeowPass so AI coding agents (Claude Code, Cursor, Windsurf) can safely manage your secrets.

The principle: agents orchestrate, never see values

MeowPass's MCP server gives AI agents 14 tools to manage secrets. The key security feature: agents can list, create, inject, and compare secrets without ever seeing plaintext values.

Setup for Claude Code

One-time setup
mp apikey create claude-agent claude mcp add meowpass \ -e MEOWPASS_API_KEY=mp_your_key \ -- npx -y @meowlabs/meowpass-mcp

What agents can do

ActionToolValues exposed?
List vaultsmeowpass_list_vaultsNo
List secret namesmeowpass_list_secretsNo
Check .env driftmeowpass_diffNo (keys only)
Scan for .env filesmeowpass_initNo
Create a vaultmeowpass_create_vaultNo
Run command with secretsmeowpass_run_redactedNo (scrubbed)
Decrypt a specific secretmeowpass_decryptYes (requires master pw)

Agent workflow pattern

What happens behind the scenes
You: "Deploy my app with production secrets" Claude Code: 1. meowpass_list_vaults → finds "my-app" vault 2. meowpass_list_secrets → 12 secrets found 3. meowpass_run_redacted → injects secrets, runs deploy 4. Returns: "Deployed. 12 secrets injected. Exit 0." Secret values never entered the conversation context.